Posted on 11/24/2015 6:50:06 PM PST by dayglored
Analysis
Dell ships Windows computers with software that lets websites slurp up the machine's exact specifications, warranty status, and other details without the user knowing.
This information can be used to build a fingerprint that potentially identifies a person while she browses across the web. It can be abused by phishers and scammers, who can quote the information to trick victims into thinking they're talking to a legit Dell employee. And, well, it's just plain rude.
A website created by a bloke called Slipstream - previously in these pages for exposing security holes in UK school IT software - shows exactly how it can work.
This proof-of-concept code exploits a weakness in the design of Dell's support software to access the computer's seven-character service tag - an identifier that Dell's support website uses to look up information on the machine, including the model number, installed components, and warranty data.
Visit Slip's page above to see it in action - assuming you have a Dell running Dell Foundation Services. Be warned, though, it does play some fun chiptune music, so mute your speakers if you're still at work.
Slipstream says his website does not exploit the eDellRoot root CA certificate that turned up in new models of Dell laptops and PCs - but the Dell Foundation Services software that uses the dodgy cert.
As documented by Duo Security, Dell Foundation Services starts up a web server on TCP port 7779 that accepts requests for the service tag.
All a website has to do is, in JavaScript, request this URL:
http://localhost:7779/Dell%20Foundation%20Services/eDell/IeDellCapabilitiesApi/REST/ServiceTagand the foundation services returns exactly that - the service tag. No authentication required. This serial code can then be fed into Dell's support site to look up information about the machine.
The Register has tested the proof-of-concept site and verified that it does indeed pull up the service code on an Inspiron 15 series laptop bought in July. Slipstream also confirmed to The Reg that his script works even when the vulnerable root CA cert is removed by Dell's prescribed methods.
Aside from the possibility that a scammer could use the support number to gain user trust for a phony tech support call or other security con job, the proof-of-concept demonstrates just how deeply a third party can probe into a user's system by exploiting Dell's now-notorious support tools.
Dell was thrust into the spotlight yesterday when researchers first broke word of eDellRoot, a rogue certificate authority quietly installed on Windows machines that can be exploited by man-in-the-middle attackers to decrypt people's encrypted web traffic.
The Texas PC-slinger said the issue was merely a mishap related to its user support tools. Dell bristled at suggestions the flaw should be considered malware or adware, but nonetheless it has provided users with a removal tool.
The American biz has also pushed a software update that will automatically remove the vulnerable root CA cert from its machines.
anyone who doesn’t do a clean/fresh install of the OS on ANY OEM computer they buy is just asking for trouble anyway. That’s the first thing I do when I get a new PC
I have a Dell desktop computer,
bought March of this year.
...
in task manager,
indicates ..Dell Foundation Services, Stopped
...
any suggestions?
I'd leave it stopped. Disabled, if that's an option.
My Dell Inaperation has none of the issues listed.
My Dell Inspiration has none of the issues listed.
OEM,s load PC's with so much bloatware, unneeded tools and other garbage, half the system resources are used up by junk right out of the box. It really is bad.
Best bet is to always get a Windows install CD (purchase the media with the PC) so you can install it clean without using their system restore option (that just puts all the garbage back again).
Just go to add/remove and uninstall the entire Dell Foundation Services bloatware package. It’s nearly useless anyway: all it does is provide Dell your service tag if you call them for service, something you can see on the service tag label on your PC and read out over phone. It’s ridiculous to have a whole service running in the background at all times, consuming RAM and CPU.
Just say no to all bloatware. Say no to DFS and uninstall it.
This is all you need to know. If you have a Dell system that you took out of the box and started using, you're vulnerable. If you're a corporate customer not using their CTO or OEM channel stuff, you're in the clear.
I was forced to script something to check all of our machines for this nonsense, and out of 1200 physical systems, not a single one had this root certificate.
I'm not defending Dell, this is ridiculous on their part, but for corporate customers, this is much ado about nothing.
So, if it comes preloaded with a Windows OS...you'll buy another copy of Windows and effectively pay for the OS software twice?
Depends on how much you value your time and frustration dealing with the crapware that came with the OEM installation. You can often buy hardware without Windows installed, save the Windows tax, and install a clean copy bought elsewhere.
When you use Windows, you must be prepared to pay, and pay some more, and then spend inordinate amounts of time fixing and cleaning and repairing. Or risk malware with "cracked" versions to save a few bucks.
Personally, I prefer to run my Windows in VMs (virtual machines) hosted on either Mac or Linux workstations. That said, I have three Windows installs "on the metal" at home, dual booted.
That's what I thought you meant but your comment in #5 led me to believe the PC had been bought with an OS.
No, you already have the OEM license generally when you buy the PC. Just pay a little extra and get the DVD media (they don’t include that, only their customized “restore” media) so you can install it clean and without all the garbage the stick in it. I don’t think it’s right, but they do charge extra for the windows media. It’s a manageable cost though... usually 10 or 20 bucks or something like that. The install key is on a sticker on your computer, all you need is the install media and use your existing key from the sticker.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.